6.1 Introduction

Industrial agents (IAs) are considered a key enabler for industrial applications (Leitão et al., 2013), and therefore sophisticated approaches using them have been developed over the past years. Probably the most well-known example of such a system is the one deployed in the factory of DaimlerChrysler, as analyzed by Schild and Bussmann (2007). However, it is noticeable that most of the existing approaches focus on the provision of core functionalities relevant to the application, while other aspects, such as security and privacy, that are not immediately visible are considered second-class priorities and are often neglected or realized only at a very basic level. With the emergence of Cyber-Physical Systems (CPS) (ACATECH, 2011; Colombo et al., 2014), and especially their application in the industrial domain, the business landscape is changing, because they offer sophisticated capabilities that may be transformed to competitive business advantages. However, as Porter and Heppelmann (2014) point out, in such environments, underestimating security and privacy pose one of the greatest strategic risks.

Due to increasingly sophisticated security threats (Cheminod et al., 2013), it has been repeatedly shown that industrial systems are largely becoming vulnerable and so is the critical infrastructure they control. However, although awareness is rising, dealing effectively with these is still not adequately addressed. Security, trust, and privacy are aspects that also in the IA domain are not given appropriate importance and are usually considered future add-ons, once the IAs achieve their breakthrough. Although this may have been acceptable some years ago, where their utilization—e.g., in factories was done in highly controlled and isolated environments with low probability of misuse—today we are far from such “safe-haven” systems. The recent Stuxnet worm (Karnouskos, 2011) exposed the vulnerability of modern industrial systems even in the most controlled environment of a nuclear facility. In addition, the penetration of Internet technologies and concepts, the amalgamation of industrial networks and IT systems, as well as the need for tackling increasingly complex industrial systems with common means, has increased the risks introduced to and by IA systems.

6.2 Technology Trends and IAs

To better understand the transformation on industrial systems and how this affects IA approaches, we have to consider the vision of future industrial systems (Colombo and Karnouskos, 2009; Kagermann et al., 2013), as well as the trends in technologies to realize it. Today we see an increased penetration of Internet technologies in industrial settings and an amalgamation of the different concepts and technologies in enterprises and on shop floors (Colombo et al., 2014). Some key trends we witness include:

• Information-Driven Interaction: Future integration will not be based overwhelmingly on the data that can be collected and delivered, but rather on the services and intelligence that each device/system can deliver to an infrastructure. These information points will be distributed and provide local intelligence (including monitor and control capabilities) via well-defined interfaces while their interworkings are hidden. The interactions that happen among them will give emergence to system-wide characteristics and capabilities. IAs fit well in this role due to their characteristics. Security though will be critical because the task to empower modern scenarios that rely on such interactions without revealing key competitive advantages to other parties is challenging.

• Distributed Business Processes: In large-scale sophisticated infrastructures, business processes can be distributed in-network—e.g., in the cloud and on the device. Thus, processing information and local decisions can be done where it makes sense and where it is close to the point of action, while only necessary info is propagated to higher levels for system views. IAs provided with the right capabilities and resources can host the logic to execute business processes and become part of complex orchestrations. However, how to securely and efficiently outsource such functionalities to IAs, especially in enterprise-wide and cross-enterprise scenarios, still needs to be properly addressed.

• Cooperation: Highly sophisticated networked devices are able to carry out a variety of tasks not in a stand-alone mode as is usually done today, but taking into full account dynamic and context-specific information. As such, we see the emergence of a highly distributed intelligent infrastructure that is able to cooperate, share information, act as part of communities, and generally be an active element of a more complex system (Marrón et al., 2012). IAs can be seen as an add-on to such devices, which can take over management of interactions and cooperation. Security aspects relevant here are manifold, including modern research in reputation systems and building of collaborative systems and infrastructures.

• Cloud Computing and Virtualization: Virtualization addresses many enterprise needs for scalability, more efficient use of resources, and lower Total Cost of Ownership just to name a few. Cloud computing is emerging powered by the widespread adoption of virtualization, service oriented architecture, and utility computing. For IAs, this is of relevance because now resources can be dynamically adjusted to the needs of an IA for the execution of a scenario. This means that IAs can cohabit resource-constrained devices and systems, while in parallel outsource more demanding (resource consuming) functionalities to the cloud. However, this strong dependence and communication between the local and cloud IAs may raise some security concerns or may not be wished or appropriate—e.g., in critical infrastructures.

• Multi-Core Systems and GPU Computing: The last ten years we have seen the rapid prevalence of multi-core systems that nowadays start to dominate not only everyday devices but also traditional embedded industrial systems. The general trend is toward chips with tens or even hundreds of cores, simultaneous multi-threading, memory-on-chip, etc., which promise high performance and a new generation of parallel applications unseen before in embedded systems. Additionally, in the last decade we have seen the emergence of GPU computing where computer graphic cards are taking advantage of their massive floating-point computational power to do stream processing. For IAs and generally multi-agent systems, this adds new capabilities, especially toward running complex simulation scenarios. For instance, specific analytics on an embedded device can now be realized at high performance in the GPU, which empowers new IA applications at the edges.

• Infrastructure Servicification: Service Oriented Architectures (SOA) have penetrated modern infrastructures from larger systems down to even simpler networked embedded devices. As the latest have become more powerful with respect to computing power, memory, and communication, they are starting to be built with the goal to offer their functionality as one or more services for consumption by other devices or services. Due to these advances, we are slowly witnessing a paradigm shift where devices can offer more advanced access to their functionality and even host and execute business logic, therefore effectively providing the building blocks for expansion of service oriented architecture concepts down to their layer. Web services are suitable and capable of running natively on embedded devices, providing an interoperability layer and easy coupling with other components in highly heterogeneous shop floors. IAs can take advantage of such a SOA-based infrastructure and build more sophisticated approaches on top. However, this also increases the requirements for trust, security, and potentially also privacy.

• Trust and Privacy: As the infrastructure becomes more complex and we move away from monolithic systems that host the fully fledged functionalities toward cooperative and modularly built systems, so does the dependence on key requirements among them, including trust and in some scenarios privacy. The privacy issues, especially, have not been adequately tackled when it comes to the IA scenarios, mostly because, up to now, operations were carried out in strongly controlled environments where the majority of data and processes was owned by a single stakeholder. However, with the increased generation of data due to the Internet of Things, new approaches such as analytics and simulation can be realized based on distributed cross-enterprise real-world data. Hence introducing and enforcing a full policy-driven data life-cycle management remains a grand challenge. For IAs, this becomes relevant because they need to operate on large datasets but also respect policies and privacy-preserving approaches, while in parallel also make sure that their operations do not leak or provide information that might be misused.

• Cyber-Physical Systems: Although the majority of IA systems up to now was realized in software with limited integration in hardware, the advances in networked embedded devices in industry the last several years indicate that this is already changing. The significant decrease in hardware prices with the parallel increase in the computational and communication resources it may possess, have given rise to several systems that can be largely summarized under the CPS domain. These go beyond traditional stand-alone monolithic systems that could have some intelligence and be empowered by IAs. On the contrary, they are multi-faceted multi-layer entities (both in hardware and software) that are highly complex and can operate autonomously but also in cooperation with other systems both on-premise and out-of-premise. The latter is empowered by the usage of Internet technologies and connectivity, including the cloud paradigm. As such, IAs have assumed new roles in CPS, and not only can execute in CPS but also rely on external entities—e.g., for activities offloading, cooperation, and wide-area management.

As depicted in Figure 6.1, we see a shift to the realization of IAs. Up to now these were mostly software solutions with some management/control capabilities on the underlying hardware (as shown in the left side of Figure 6.1). With the prevalence of the cloud and Internet technologies the intelligence of a single IA can now rely both on device and in cloud, creating a cooperation link among its different parts (as shown in the right side of Figure 6.1) that may lead to a better solution. The latter implies that IAs must now operate as part of a much more complex system; hence, naïve approaches especially related to security are neither contemporary nor realistic. Figure 6.2 presents an overview of some potential threats within the operational context of IAs, which we will investigate more closely.

6.3 Agent Threat Context

Security in software agents is in general a challenging issue, and several considerations are made (Jansen and Karygiannis, 1999; Mcdonald, 2006; Karnouskos, 2001) including potential dependence on operational conditions, applications, etc. The security threats arise (as also shown in Figure 6.2) due to the special properties agents usually possess and utilize (e.g., autonomy, mobility, code execution, etc.), which leads to key threats common in mobile code that transports and executes itself. Although the examples given next are not exhaustive, they should provide a general basis for understanding of threats relevant to IAs.

6.4 Requirements on IA Solutions

IAs may suffer from the security threats common to all software agents, but there are also differences related to the operational context where they are utilized in industrial environments. In IAs, the emphasis is put on the specific requirements that need to be fulfilled, sometimes at all costs, such as reliability, fault-tolerance, scalability, industrial standard compliance, quality assurance, resilience, manageability, and maintainability, etc. Depending on the scenario where IAs are used, these requirements may have varying degrees of importance and the focus is on well-established, stable, and proven approaches rather than experimental and not fully tested features. Also industrial solutions need to fully guarantee business continuity as well as compliance to quality and legal requirements posed on the industrial domain where they are utilized. Therefore, technology as such is not the only criterion, but rather the whole operational context and life cycle of the IA solution is considered.

Each IA system solution naturally has to support the requirements set by the respective cases. While most functional requirements may be case specific and security should be integrated directly in their design, implementation, and operation, there are several other non-functional requirements that usually industry considers. These industrial requirements may differ to the degree in which they are important per case; however, these usually significantly differ from the ones imposed in simple prototypes and proof of concept operations, as they need to be deployed in productive environments and adhere to their operational context. Examples of these include:

• Code Quality: Software companies developing industrial solutions have standards they adhere to, in order to guarantee the quality of the developed solution. While typical development pitfalls can be avoided, such as insecure practices which would enable the IA threats mentioned to apply, there are also other motivations such as maintainability, easy refactoring of libraries, consistency of features, configurability, easy logging/debugging, etc.

• Maintainability: The solution has to be easily maintainable, which implies modularity of the developed approach, incremental updates, minimization of downtime, on-the-fly feature enablement, testability, etc.

• Policy Compliance: As any solution used in productive industrial environments, IA solutions also need to adhere to the policies set by the organization and comply to the requirements. However, matching these policies to the interaction patterns of IAs is challenging and requires expert knowledge. The balance between security and operational aspects that adhere to the policies needs to be considered starting from the design phase of IAs.

• Upgradeability: IA solutions have all the advantages, as well as the security threats, of modern mobile devices and software. As such, the unattended upgrades of their functionalities (agents), as well as those of their execution environment (host platform), are of high priority.

• Manageability: IAs, independently if they are static or roam the network, interact with systems and services and collect, store, and transmit business relevant (and potentially critical) data such as location information, process data, critical infrastructure measurements, etc. These should be protected and securely managed—e.g., with utilization of encryption or secure communication. They should also be easily integrateable in the existing management infrastructure of the organization.

• Auditability: IAs perform a multitude of functions. For example, they interact with systems, perform management actions, control physical systems, negotiate contracts, etc. As such, the auditability of their operations is often a requirement, especially when interacting with third-party systems and services. Not only security but also trust are key issues here.

• Safety: Considering that IAs have been integrated within or interact and manage physical systems (Mařík et al., 2005), and that the latter operate in critical infrastructures or factory shop floors, safety is considered a high-priority requirement. Any security breach or misbehavior on the IA side may have real-world consequences and threaten the safety of employees and the infrastructure.

• Extensibility/Modularity: IAs have high negotiation skills and can easily interact with Internet-based services, which calls for robust modular approaches that extend their functionalities based on the available services. Although this increases certain qualities of the IAs, it also creates a dependence on the infrastructure services which may be misused, as we have already discussed.

• Performance: For many industrial scenarios, the performance of the agents is critical because it dictates the performance of the system. Especially in cases where production lines are controlled or near real-time decisions need to be made, the performance of the IAs is one of the highest priorities. Many security and performance tradeoffs may be considered (Zeng and Chow, 2013), depending on the concrete requirements.

• Reliability: Industrial applications have to operate reliably and in a deterministic manner. A crash or misbehaving IA may result in physical damages in the factory and of course cause a financial impact due to damage, delays, system reconfiguration, maintenance, etc.

• Usability: For solutions interacting with users (e.g., operators, engineers etc.), several aspects need to be considered because they directly impact productivity, training and support costs, development time and costs, maintenance, customer satisfaction, etc. Today, these aspects are largely ignored in IA domain, and the focus is mostly on functionality.

• Energy Efficiency: In specific scenarios, the IAs operate within resource-constrained devices and therefore must ensure the lowest impact to its resources (computation, communication, memory, etc.). However, this is challenging because the agent must also have an understanding of its operational environment and the energy impact of its actions.

As we can see, some of the example requirements mentioned (which constitute in no way an exhaustive list), can have a significant impact on the design, implementation, operation, and acceptance of IA solutions. Security, trust, and privacy, though, touch directly or indirectly on all of these, and although some overhead might be imposed, not considering them in the solution realization is not an option for systems used in production environments.

6.5 Discussion

Security is a process, and as such (i) tradeoffs are inevitable and (ii) the question is not if an incident happens, but how to timely identify it (Vollmer and Manic, 2014) and effectively deal with it. To this end, prioritized security goals and consistent security policies must be in place and be respected by the IA solution. Secure activity logging, as well as real-time monitoring, anomaly detection, and analytics could help in the early identification of security breaches.

Traditional security measures (e.g., protection with firewalls, honeypots, known attack scanning, etc.), although necessary, are not seen enough. Especially in the era of IPv6 where globally unique IP addresses per device are supported, security and privacy issues should be revisited. In light of the new security, mobility, and quality of service features offered by the protocol (e.g., IPsec, enablement of privacy extensions, etc.), as well as their utilization in IA scenarios, there is a need to have a holistic understanding of efficient usage of the offered capabilities, as well as how they can be misused.

Effective security can be achieved at a high degree when security considerations and good practices can be integrated in the life cycle of the industrial agent solution. This includes:

• IA system requirements and use cases: These need to be properly defined (Mead et al., 2009), and weak points should be identified. Detailed scenarios and diagrams should be documented that provide clarity on the functionalities and actor interactions. Subsequently, “threat” cases can be defined, clearly depicting misuse potential in the system and its operations.

• IA systems design and implementation: During design and implementation, concrete technologies and interaction patterns come into realization. Detailed system architecture diagrams and attack trees should be defined and documented. Here also technology-specific analysis should be performed to guarantee that the implementation is not exposing the solution to threats. Typical security actions including code reviews, modular usage of software, and incremental updates are examples that could be considered.

• IA systems operational threat and vulnerabilities identification: While secure design and implementation may be realized, this does not guarantee a secure operational phase. As such, detailed monitoring, penetration testing, and risk analysis should be carried out, identifying additional potential cases for misuse.

• IA systems risk analysis, impact, and mitigation: the extent of security breaches has to be considered, and the impact on the productive systems has to be assessed, including the business relevant impact. Subsequently, mitigation plans have to be put in place that guarantee business continuity and resilience.

IA solutions and their operation has to follow common best practices for securing information technology systems. This implies adherence to key elements such as those identified by Swanson and Guttman (1996). IA solutions will also need to be largely aware of the operational context and this includes multiple security considerations such as:

• Agent-based security: This includes both agent as well as agent host execution environment relevant aspects. As such, considerations should be made toward attack detection (side/covert channels, communication patterns etc.), resilience and availability, code security, etc.

• Network security: network services, communication, topology, discovery, routing, etc.

• Hardware security: trusted execution hardware platform, firmware attacks, tamper detection, security function offloading, cryptoprocessors etc.

• Data security: repudiation, trust, integrity, privacy, authorization, life cycle management, etc.

• User security: awareness of a system’s capabilities and threats, the integration of user feedback etc.

Security safeguards need to be in place, not only on the individual CPS hosting the agent or interacting with it, but also on the processes in which they participate (Karnouskos, 2014). This requires system and potentially system-of-system-wide behavior monitoring and checks for anomalies (Pereira et al., 2013). Heuristics for estimating behavior deviation may provide hints, which should be assessed and analyzed in conjunction with other metrics. This is challenging but probably achievable to some degree if the process is under the control of a limited number of stakeholders. However, in the envisioned widely collaborative CPS systems-of-systems, this is a daunting task.

Software and hardware security are not the only issues to be considered; human users must be included in the process (Karnouskos, 2014). Security clearance on people does not imply security on their accompanying assets. In the Stuxnet case (Karnouskos, 2011), a trustworthy employee with an unknowingly rootkitted laptop or an infected USB flash drive would be enough to spread the virus. This could be, for instance, a contractor carrying a personal device, who is assigned to do maintenance on a facility. Perceived trust and risk assessment (Patrick, 2002) are seen as key aspects to be considered when designing, deploying, and operating IA solutions. Risk assessment should also include a survivability analysis for the threats, mitigation strategies, as well as impact analysis (e.g., on operational aspects). The latter is also of key importance for industrial systems, as most of them are connected to real-world processes and any malfunction has direct consequences on business processes, operations, and finances.

To be able to see the potential misuse, one has to be well acquainted not only with general good practices of security management and coding, but also understand the capabilities and potential of specific IA technologies and systems that use it. Failure to do so will probably result in ineffective enterprise-wide strategies or the enforcement of constraints, which might be ineffective or severely limit the benefits brought by the IA solution. The latter can have a significant impact on the acceptance of IA solutions overall, as we are still in the early stages of its widespread usage in industrial productive systems.

Finally, deciding on the adoption of IAs has to do with the tangible business benefit it will bring to the production environment where it will be utilized. Hence, the targeted space of promising IA solutions are seen in the common space defined by industrial requirements (including security, safety etc.), agent capabilities, technology trends, and tangible business benefits as depicted in Figure 6.3. This aspect is pointed out also by Schild and Bussmann (2007), who also mention that “in different industries the same system may have a quite different economic impact.” As such, we conclude and reinforce the view that a security-enabled holistic view is needed.

6.6 Conclusions

Agent technologies in general, as well as IAs have been with us quite some time. However, up to now we have seen limited utilization in industrial productive environments, while several use cases have been successfully demonstrated in labs and for research purposes. As we have analyzed, key technology trends, and especially CPS, provide another chance for IAs, as the latter could act as enablers in several aspects of the emerging Industrie 4.0 infrastructure (Kagermann et al., 2013) and play a pivotal role toward achieving that vision. However, to do so, security aspects need to be properly addressed for the whole life cycle of the IA systems. We have already investigated several threats that may arise directly or indirectly with the operation of the technology, and how additional requirements of industrial systems should be considered if IAs are to be widely accepted and used in real-world industrial settings.